Tremor Virus


 Virus Name:  Tremor 
 Aliases:    
 V Status:    Common (particularly in Germany) 
 Discovered:  March, 1993 
 Symptoms:    .COM & .EXE growth; decrease in total system and available 
              free memory; minor shaking of system display; message 
 Origin:      Germany 
 Eff Length:  4,000 Bytes 
 Type Code:   PRhEK - Parasitic Resident COMMAND.COM & .EXE Infector 
 Detection Method:  F-Prot, IBMAV, ViruScan, NAV, AVTK, Sweep, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, NAV/N, AVTK/N, Innoc, IBMAV/N, NShld, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Tremor virus was received in March, 1993, and is from Germany. 
       Tremor is a memory resident infector of COMMAND.COM and .EXE files. 
       It is an "anti anti-virus virus", containing some checks to avoid 
       detection by anti-viral software. 
 
       When the first Tremor infected program is executed, the Tremor virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, hooking interrupts 15 and 21.  If, 
       however, upper memory or extended memory is available, the virus 
       will install most of its code in that memory instead, with a hook 
       to it in memory below 640K.  Total system and available free memory, 
       as indicated by the DOS CHKDSK program, will have decreased by 4,288 
       bytes.  Also at this time, the virus will infect the copy of 
       COMMAND.COM pointed to by the COMSPEC variable. 
 
       Once memory resident, the Tremor virus will infect .EXE programs 
       when they are executed, adding 4,000 bytes to the file's length. 
       The file length increase will be hidden when Tremor is resident. 
       The virus will be located at the end of the file.  The program's 
       date and time in the DOS disk directory listing will not appear to 
       be altered, but will actually have had 100 added to the years field 
       in the file date.  This is the infection marker for the virus. 
       Tremor is an encrypted virus, and no text strings are visible within 
       the viral code in infected programs. 
 
       Systems infected with the Tremor virus will experience a sluggish 
       system response to commands and program execution.  File allocation 
       errors will be detected by the CHKDSK program when the virus is 
       memory resident, but not when Tremor is not in memory.  After Tremor 
       has been present on the system for over three months, a slight 
       shaking effect of the contents of the system display may occur 
       accompanied by a system hang.  The virus may also occassionally 
       clear the system display and display the following message on the 
       system monitor: 
 
               "-=> T.R.E.M.O.R was done by NEUROBASHER 
                       / May-June '92, Germany <=- 
                -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-" 
 
       After a few seconds, the system will then return to "normal". 
 
       The Tremor virus is a full stealth virus, disinfecting programs as 
       they are read into memory.  As a result, anti-viral programs which 
       are executed to check file checksums/CRCs, or for the presence of 
       the virus in files without first verifying it isn't in memory, will 
       not find the virus in files.  It also checks for the presence of 
       some anti-viral monitoring programs in memory.  Additionally, Tremor 
       is polymorphic, and an algorithmic approach must be used for 
       detection. 
      

Show viruses from discovered during that infect .

Main Page